Thursday, 27 October 2011

How To Automatically Connect To Network Shares On Login To A Mac - Part 2

Since writing my previous post on this subject I have found a much better way of doing this, and as a bonus it works as a far more generalised login script than just mapping drives.

Instead of using launchd this approach uses an OSX feature to automatically run applications at login and logout. I found the basic technique at so please check out the original article describing how to to set up the base system and then see below for how to set up drive mappings

An entry is added to the AutoLaunchedApplicationDictionary of the global loginwindow preference file. This calls an application launcher during logon for all users which then executes all scripts in a given directory.
On logout, the loginwindow LogoutHook is used to call a similar launcher to remove any drive mappings or other clean up that should be performed during logoff.

The launcher applications are just scripts that are bundled into two OS X “apps”, one for running the login scripts and one to run the logout ones. These applications and scripts are located in the following directories

- place scripts to be run at login here
- place scripts to be run at logout here

The two basic scripts that should be added to the relevant folders for connecting to network shares are:

/usr/bin/osascript <<-EOT
mount volume “smb://servername/share”
end try

/usr/bin/osascript <<-EOT
tell application “Finder” to eject “sharename”

Windows and Macs use different file formats, if these files are edited on a Windows machine they will not work – all editing or creation of new scripts must be done on a Mac.

These instructions assume that the relevant files (the Vuzzlevuzz directory and below) have been copied to the desktop of the machine you are installing on and that you are logged in as a user with administrative privileges.

Open a terminal (Finder... Utilities... Terminal) and enter the following commands (Note: each number represents one line to enter at the terminal, ignore any other line breaks)

1. sudo mkdir /Library/Vuzzlevuzz
2. sudo cp –r ~/Desktop/Vuzzlevuzz/* /Library/Vuzzlevuzz
3. sudo chmod a+x /Library/Vuzzlevuzz/
4. sudo chmod a+x /Library/Vuzzlevuzz/
5. sudo chmod a+x /Library/Vuzzlevuzz/LoginItems/*
6. sudo chmod a+x /Library/Vuzzlevuzz/LogoutItems/*
7. sudo defaults write /Library/Preferences/loginwindow '{ AutoLaunchedApplicationDictionary = ({Hide = 1; Path = "/Library/Vuzzlevuzz/"; });}'
8. sudo defaults write LogoutHook /Library/Vuzzlevuzz/


Wednesday, 26 October 2011

Active Directory Login Problems with OSX 10.7.2 Lion and .local domains

Recently one of our clients had two Macs decide to drop off the domain - all of a sudden they could no longer log in to them with active directory accounts. Both machines are running OSX Lion 10.7.2 and the problem seemed to start after installing the latest updates from Apple.

Poking about on the net, this seems to be a known problem with no real solution but I managed to piece together a process to get this working.

The problem is related to the way that OSX uses the .local domain for Bonjour and uses multicast DNS queries to try to locate network resources instead of directly querying the DNS server. If you have your Active Directory domain set up as mydomain.local (which is Microsoft best practice and the default in Small Business Server) then conflicts arise. This has been an ongoing issue with using Macs in Windows domains for some time and the reliability of domain logins seems to go up and down with each new release.

My first thought was to just disable mDNS but it seems that this is not possible as OSX uses this for normal DNS queries as well as for Bonjour.

Googling reveals lots of potential solutions for different versions of OSX but none of these worked for me. Eventually by piecing different bits of information together I stumbled on a working configuration which I repeated successfully on two machines.

I'm not sure if all of this is strictly necessary - the machines in question I was working on remotely and the client needed them up and running as soon as possible so I was not able to isolate exactly which steps are required but there is nothing in here that will cause problems for small environments. For larger installations with multiple domain controllers this isn't really the best way of setting up machines but it will at least get them logging on to the network until Apple can come up with a proper fix.

Before you start, if you have tried increasing the mDNS timeout settings as recommended by lots of articles on the net, then change them back. Once the machine has been set up as below it works correctly with the default and I suspect that increasing the timeout would actually be counterproductive as we want the mDNS query to timeout quickly so that the machine fails over to normal DNS queries

Open a terminal and type

sudo nano /System/Library/SystemConfiguration/IPMonitor.bundle/Contents/Info.plist

Ensure the mdns timeout is set to 2


First off, ensure name resolution is set up correctly by adding mydomain.local and mydomain to the DNS Search Domains

System Preferences, Network, Ethernet Connection, Advanced button, DNS, Search Domains


Ensure the naked domain resolves by adding a record for it in the machine's hosts file
Open a terminal and type

sudo nano /etc/hosts

And add the following line, substituting the correct values for your environment:

mydomain ipaddress_of_domain_controller

If the machine is already bound to the domain, then un-bind it before re-joining the domain as below:

System Preferences, Users & Groups, click Login options,
if already bound to a domain, click Edit and then Unbind. Else click Join

Do not enter the details in the first window that pops up but instead click on Open Directory Utility

Go to Services, Active Directory, and click the pencil icon to edit
Enter the domain name,


Click Show Advanced Options and click on the Administrative tab
Tick Use Preferred Server and enter the IP address (not the name) of the domain controller
Untick Allow Authentication from any domain in the forest
Click Bind, enter credentials when prompted and wait for 10 minutes...

Once this finishes, stay in the Directory Utility and go to the Search Policy tab
Remove /Active Directory/MYDOMAIN/All Domains
Add /Active Directory/MYDOMAIN/mydomain.local
Move this entry up to immediately under /Local/Default
Your Search Policy list should now look like this:

/Active Directory/MYDOMAIN/mydomain.local
/Active Directory/MYDOMAIN

Reboot and you can now login with Active Directory accounts